Unpatched Zero Day Vulnerability in Internet Explorer 8

SUBTITLE:  Remote code execution | CVE-2014-1770
ACTIONS:  Expect future MS patch; standard IE mitigation techniques

Security researchers have released details about a vulnerability in Internet Explorer 8 that could allow bad actors to take control of a computer. At the time of this writing, Microsoft has not released any news of a security update to resolve this vulnerability. While there are some mitigation steps that can be taken to prevent an exploit, Mytech believes that most of our clients are not at elevated risk from an attack.

As always, the Mytech NOC recommends that our customers apply a “defense in depth” strategy to protect their networks. This includes keeping all software current and not operating as a local administrator on their computer. This vulnerability will only target IE 8, which is three versions behind the current browser. The risk of exploit is only carried by users running that browser who are also local administrators – which is not a large population.

Even in these situations, a company that has a current security services subscription on their firewall and an anti-virus solution in place for their email will further reduce the risk. Finally, even if a user somehow gets to a malicious website that can exploit this vulnerability, an up to date Antivirus solution should help keep the threat to a minimum.

Mytech assumes that Microsoft will eventually release an update for this vulnerability, and we will ensure that our customers receive this as part of their managed services.

If you have any questions about your defense in depth strategy, or about this vulnerability, please contact Mytech Partners, Inc. For more technical information on this vulnerability, please see the links below.

REFERENCES

CVE-2014-1770 at the National Vulnerability Database
Original Disclosure Statement at ZeroDay Initiative